Skip to content

fix(deps): force tmp >=0.2.6 via pnpm override (TAB-1091)#594

Merged
lmorchard merged 1 commit into
mainfrom
stafford/tab-1091-fix-high-severity-tmp-path-traversal-cve-2026-44705
Jul 16, 2026
Merged

fix(deps): force tmp >=0.2.6 via pnpm override (TAB-1091)#594
lmorchard merged 1 commit into
mainfrom
stafford/tab-1091-fix-high-severity-tmp-path-traversal-cve-2026-44705

Conversation

@srbiv

@srbiv srbiv commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

Test plan

  • pnpm install — lockfile resolves a single [email protected] everywhere; 0.2.5 fully removed.
  • rm -rf node_modules && pnpm install --frozen-lockfile — passes (verifying the exact command CI runs, learned from the TAB-1090 lockfile-sync miss).
  • pnpm -r run typecheck — all packages pass.
  • pnpm -r run test — 1,505 tests pass across core/cli/server/extension.
  • npx prettier --check package.json pnpm-lock.yaml — clean.

Linear: TAB-1091

CVE-2026-44705 / GHSA-ph9p-34f9-6g65 (high, CWE-22). tmp <0.2.6 joins
prefix/postfix/dir path segments without containment checks, allowing
directory-escape via traversal sequences or absolute paths. Same root
cause as TAB-1089/TAB-1090: wxt -> [email protected] -> [email protected],
untouched since web-ext-run has no newer release.
@srbiv
srbiv requested a review from a team July 14, 2026 13:49
@lmorchard
lmorchard merged commit d5af8f2 into main Jul 16, 2026
13 checks passed
@lmorchard
lmorchard deleted the stafford/tab-1091-fix-high-severity-tmp-path-traversal-cve-2026-44705 branch July 16, 2026 00:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants